Our setup is only for RA Anyconnect VPN only.

Ok. Just send the DART bundle to Cisco TAC for evaluation.

you can try changing the compliance module to the latest 4331 from Cisco.

Suggest review Cisco ISE and SCCM integration Reference Guide

Note that compliance is as reported by the SCCM client at the point of interrogation by AnyConnect.  It may be Compliant based on its last check-in, but you cannot force immediate checkin at point of posture. The aove guide should help provide pointers on this configuration.  ISE 2.3 also adds enhancements to validate client patch level up to date (i.e critical, important, etc) using a new logic where ISE communicates with Microsoft Update Servers on backend.

/Craig

Ok, But isn't that completely defeats the purpose of posture check/remediation?  How are we supposed to stop and remediate endpoints who are out of date on the critical OS patches before they are on the network? Not sure why Cisco even added SCCM integration into ISE Posture if it SCCM client can't perform real time/on-demand  checks.

Thanks for your response.

This is a matter of how the native SCCM client works rather than limitation on ISE agent limitations.  Many customers find it acceptable to maintain compliance via this mechanism, but you can choose to use alternative method such as Cisco Rules to determine Patch compliance, or interrogate SCCM server directly (DM integration) and base access on that.  Other methods include DM integration with Intune or other non-MS patch manager or MDM, WSUS, Windows Update, etc.  There is always some compromise if choose to make hard-line decision that no access is granted if deemed not compliant at point of connection.